<rdar://problem/107150380>

I was able to reproduce the crash locally on Monterey Release ToT running the test as follows: run-webkit-tests --no-build http/tests/webgpu/webgpu/api/operation/texture_view/read.html --iterations 10 Running the test generated the following crash log: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebKit 0x4c5a278f5 unwrap + 0 (RawPtrTraits.h:44) [inlined] 1 WebKit 0x4c5a278f5 operator-> + 0 (Ref.h:115) [inlined] 2 WebKit 0x4c5a278f5 root + 0 (RemoteAdapterProxy.h:54) [inlined] 3 WebKit 0x4c5a278f5 root + 7 (RemoteDeviceProxy.h:52) [inlined] 4 WebKit 0x4c5a278f5 root + 11 (RemoteQueueProxy.h:50) [inlined] 5 WebKit 0x4c5a278f5 send<Messages::RemoteQueue::Destruct> + 15 (RemoteQueueProxy.h:68) [inlined] 6 WebKit 0x4c5a278f5 WebKit::WebGPU::RemoteQueueProxy::~RemoteQueueProxy() + 51 (RemoteQueueProxy.cpp:45) 7 WebKit 0x4c5a27a66 ~RemoteQueueProxy + 5 (RemoteQueueProxy.cpp:44) [inlined] 8 WebKit 0x4c5a27a66 WebKit::WebGPU::RemoteQueueProxy::~RemoteQueueProxy() + 14 (RemoteQueueProxy.cpp:44) 9 WebCore 0x4d27bb1c3 operator() + 3 (unique_ptr.h:57) [inlined] 10 WebCore 0x4d27bb1c3 deref + 20 (RefCounted.h:190) [inlined] 11 WebCore 0x4d27bb1c3 ~Ref + 44 (Ref.h:61) [inlined] 12 WebCore 0x4d27bb1c3 ~Ref + 44 (Ref.h:55) [inlined] 13 WebCore 0x4d27bb1c3 ~GPUQueue + 44 (GPUQueue.h:48) [inlined] 14 WebCore 0x4d27bb1c3 ~GPUQueue + 44 (GPUQueue.h:48) [inlined] 15 WebCore 0x4d27bb1c3 operator() + 44 (unique_ptr.h:57) [inlined] 16 WebCore 0x4d27bb1c3 deref + 44 (RefCounted.h:190) [inlined] 17 WebCore 0x4d27bb1c3 ~Ref + 44 (Ref.h:61) [inlined] 18 WebCore 0x4d27bb1c3 ~Ref + 44 (Ref.h:55) [inlined] 19 WebCore 0x4d27bb1c3 ~JSDOMWrapper + 44 (JSDOMWrapper.h:73) [inlined] 20 WebCore 0x4d27bb1c3 ~JSGPUQueue + 44 (JSGPUQueue.h:29) [inlined] 21 WebCore 0x4d27bb1c3 ~JSGPUQueue + 44 (JSGPUQueue.h:29) [inlined] 22 WebCore 0x4d27bb1c3 WebCore::JSGPUQueue::destroy(JSC::JSCell*) + 83 (JSGPUQueue.cpp:204) 23 JavaScriptCore 0x4ccaf6da6 JSC::PreciseAllocation::sweep() + 70 (PreciseAllocation.cpp:234) 24 JavaScriptCore 0x4ccaee41a JSC::MarkedSpace::sweepPreciseAllocations() + 106 (MarkedSpace.cpp:235) 25 JavaScriptCore 0x4ccabc544 sweepInFinalize + 12 (Heap.cpp:2212) [inlined] 26 JavaScriptCore 0x4ccabc544 JSC::Heap::finalize() + 100 (Heap.cpp:2152) 27 JavaScriptCore 0x4ccabbfcc JSC::Heap::handleNeedFinalize(unsigned int) + 60 (Heap.cpp:2089) 28 JavaScriptCore 0x4ccab87ee handleNeedFinalize + 14 (Heap.cpp:2100) [inlined] 29 JavaScriptCore 0x4ccab87ee JSC::Heap::finishChangingPhase(JSC::GCConductor) + 158 (Heap.cpp:1696) 30 JavaScriptCore 0x4ccaba5be changePhase + 46 (Heap.cpp:1670) [inlined] 31 JavaScriptCore 0x4ccaba5be JSC::Heap::runEndPhase(JSC::GCConductor) + 2510 (Heap.cpp:1660) 32 JavaScriptCore 0x4ccab863b JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*) + 299 (Heap.cpp:1315) 33 JavaScriptCore 0x4ccad0afd operator() + 13 (Heap.cpp:1927) [inlined] 34 JavaScriptCore 0x4ccad0afd WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&) + 29 (ScopedLambda.h:106) 35 JavaScriptCore 0x4ccaeb1a5 operator()<JSC::CurrentThreadState &> + 10 (ScopedLambda.h:58) [inlined] 36 JavaScriptCore 0x4ccaeb1a5 JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&) + 117 (MachineStackMarker.cpp:224) 37 JavaScriptCore 0x4ccabc07d JSC::Heap::collectInMutatorThread() + 93 (Heap.cpp:1939) 38 JavaScriptCore 0x4ccabbed4 stopIfNecessarySlow + 40 (Heap.cpp:1908) [inlined] 39 JavaScriptCore 0x4ccabbed4 JSC::Heap::stopIfNecessarySlow() + 68 (Heap.cpp:1880) 40 JavaScriptCore 0x4ccab487e stopIfNecessary + 19 (HeapInlines.h:258) [inlined] 41 JavaScriptCore 0x4ccab487e JSC::Heap::collectIfNecessaryOrDefer(JSC::GCDeferralContext*) + 126 (Heap.cpp:2684) 42 JavaScriptCore 0x4ccae6cb2 JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 114 (LocalAllocator.cpp:125) 43 WebCore 0x4d32a2ca6 operator() + 23 (LocalAllocatorInlines.h:41) [inlined] 44 WebCore 0x4d32a2ca6 */JavaScriptCore.framework/PrivateHeaders/LocalAllocatorInlines.h:39:9)> + 23 (FreeListInlines.h:46) [inlined] 45 WebCore 0x4d32a2ca6 allocate + 23 (LocalAllocatorInlines.h:38) [inlined] 46 WebCore 0x4d32a2ca6 allocate + 23 (AllocatorInlines.h:35) [inlined] 47 WebCore 0x4d32a2ca6 allocate + 59 (IsoSubspaceInlines.h:36) [inlined] 48 WebCore 0x4d32a2ca6 tryAllocateCellHelper<WebCore::JSLocalDOMWindow, JSC::AllocationFailureMode::Assert> + 59 (JSCellInlines.h:175) [inlined] 49 WebCore 0x4d32a2ca6 void* JSC::allocateCell<WebCore::JSLocalDOMWindow>(JSC::VM&, unsigned long) + 150 (JSCellInlines.h:191) 50 WebCore 0x4d3281095 create + 13 (JSLocalDOMWindow.h:40) [inlined] 51 WebCore 0x4d3281095 WebCore::JSWindowProxy::setWindow(WebCore::DOMWindow&) + 613 (JSWindowProxy.cpp:112) 52 WebCore 0x4d32a210b WebCore::WindowProxy::setDOMWindow(WebCore::DOMWindow*) + 459 (WindowProxy.cpp:173) 53 WebCore 0x4d3b0e4af WebCore::FrameLoader::clear(WTF::RefPtr<WebCore::Document, WTF::RawPtrTraits<WebCore::Document>, WTF::DefaultRefDerefTraits<WebCore::Document> >&&, bool, bool, bool, WTF::Function<void ()>&&) + 495 (FrameLoader.cpp:707) 54 WebCore 0x4d3aebb23 WebCore::DocumentWriter::begin(WTF::URL const&, bool, WebCore::Document*, WebCore::ProcessQualified<WTF::UUID>, WebCore::NavigationAction const*) + 499 (DocumentWriter.cpp:171) 55 WebCore 0x4d3ae6664 WebCore::DocumentLoader::commitData(WebCore::SharedBuffer const&) + 308 (DocumentLoader.cpp:1248) 56 WebKit 0x4c5aec952 WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, WebCore::SharedBuffer const&) + 58 (WebFrameLoaderClient.cpp:1247) 57 WebCore 0x4d3aeb866 WebCore::DocumentLoader::commitLoad(WebCore::SharedBuffer const&) + 182 (DocumentLoader.cpp:1212) 58 WebCore 0x4d3d35b58 operator() + 13 (Function.h:82) [inlined] 59 WebCore 0x4d3d35b58 WebCore::FragmentedSharedBuffer::forEachSegmentAsSharedBuffer(WTF::Function<void (WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> >&&)> const&) const + 152 (SharedBuffer.cpp:284) 60 WebCore 0x4d3ba5cc8 WebCore::CachedRawResource::didAddClient(WebCore::CachedResourceClient&)::$_0::operator()(WebCore::ResourceRequest&&)::'lambda'()::operator()() const + 152 (CachedRawResource.cpp:178) 61 WebCore 0x4d3afd70b operator() + 9 (Function.h:82) [inlined] 62 WebCore 0x4d3afd70b operator() + 17 (CompletionHandler.h:75) [inlined] 63 WebCore 0x4d3afd70b operator() + 71 (DocumentLoader.cpp:1029) [inlined] 64 WebCore 0x4d3afd70b WTF::Detail::CallableWrapper<WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&)::$_9, void, WebCore::PolicyAction, WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::LocalPolicyCheckIdentifierType> > >::call(WebCore::PolicyAction, WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::LocalPolicyCheckIdentifierType> >) + 75 (Function.h:53) 65 WebKit 0x4c5b1dd69 operator() + 9 (Function.h:82) [inlined] 66 WebKit 0x4c5b1dd69 WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebKit::PolicyDecision&&) + 227 (WebFrame.cpp:440) 67 WebKit 0x4c5bada42 WebKit::WebPage::didReceivePolicyDecision(WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, unsigned long long, WebKit::PolicyDecision&&) + 268 (WebPage.cpp:3809) 68 WebKit 0x4c5bc5cad operator()<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, unsigned long long, WebKit::PolicyDecision> + 23 (HandleMessage.h:136) [inlined] 69 WebKit 0x4c5bc5cad */HandleMessage.h:135:9), WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, unsigned long long, WebKit::PolicyDecision> + 23 (type_traits:3924) [inlined] 70 WebKit 0x4c5bc5cad */HandleMessage.h:135:9), std::__1::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, unsigned long long, WebKit::PolicyDecision>, 0UL, 1UL, 2UL> + 30 (tuple:1536) [inlined] 71 WebKit 0x4c5bc5cad */HandleMessage.h:135:9), std::__1::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, unsigned long long, WebKit::PolicyDecision> > + 30 (tuple:1545) [inlined] 72 WebKit 0x4c5bc5cad callMemberFunction<WebKit::WebPage, WebKit::WebPage, void (WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, unsigned long long, WebKit::PolicyDecision &&), std::__1::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, unsigned long long, WebKit::PolicyDecision> > + 30 (HandleMessage.h:134) [inlined] 73 WebKit 0x4c5bc5cad handleMessage<Messages::WebPage::DidReceivePolicyDecision, WebKit::WebPage, WebKit::WebPage, void (WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, unsigned long long, WebKit::PolicyDecision &&)> + 55 (HandleMessage.h:236) [inlined] 74 WebKit 0x4c5bc5cad WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) + 333 (WebPageMessageReceiver.cpp:579) 75 WebKit 0x4c5c9a918 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 250 (MessageReceiverMap.cpp:129) 76 WebKit 0x4c596bb2c WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 28 (WebProcess.cpp:931) 77 WebKit 0x4c5c9654a IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 240 (Connection.cpp:1245) 78 WebKit 0x4c5c966db IPC::Connection::dispatchOneIncomingMessage() + 169 (Connection.cpp:1310) 79 JavaScriptCore 0x4cbf65bff operator() + 9 (Function.h:82) [inlined] 80 JavaScriptCore 0x4cbf65bff WTF::RunLoop::performWork() + 415 (RunLoop.cpp:147) 81 JavaScriptCore 0x4cbf66632 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:46) 82 CoreFoundation 0x7ff80568917b __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 83 CoreFoundation 0x7ff8056890e3 __CFRunLoopDoSource0 + 180 84 CoreFoundation 0x7ff805688e5d __CFRunLoopDoSources0 + 242 85 CoreFoundation 0x7ff805687878 __CFRunLoopRun + 892 86 CoreFoundation 0x7ff805686e3c CFRunLoopRunSpecific + 562 87 Foundation 0x7ff8064e4d4a -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 216 88 Foundation 0x7ff80656f797 -[NSRunLoop(NSRunLoop) run] + 76 89 libxpc.dylib 0x7ff80530a786 _xpc_objc_main + 773 90 libxpc.dylib 0x7ff80530a1a9 xpc_main + 99 91 WebKit 0x4c54f5e9c WebKit::XPCServiceMain(int, char const**) + 60 (XPCServiceMain.mm:260) 92 dyld 0x102efb52e start + 462 Full crash log attached to bug.

Created attachment 465557 [details] Full crash log from repo.

I have bisected the regression point to https://commits.webkit.org/261998@main. The same crash as above started occurring there. The crash did not occur at 261996@main, and 261997@main only appears to be a GTK change. So it appears that https://commits.webkit.org/261998@main is what caused these crashes.

This has been resolved with the following revert: https://commits.webkit.org/262044@main